Print
Article
26.1

The Rise of Big Data and the Law of Armed Conflict

Laura A. Dickinson
Lyle T. Alverson Professor of Law, The George Washington University Law School

This Article is adapted from remarks delivered at a symposium entitled “On the Cusp of the Fourth Industrial Revolution: The International Law Perspective” held at the University of Chicago in January 2025. For a far more thorough exploration of the ideas introduced here, see generally Big Data and Armed Conflict: Legal Issues Above and Below the Armed Conflict Threshold (Laura A. Dickinson & Edward W. Berg eds. 2024).

Big data—extremely large quantities of information and the analytics used to process it—is now crucial to the way militaries operate on the battlefield. Data is used to run weapons systems, analyze intelligence, procure and deploy personnel, evaluate battlefield conditions, detain prisoners, and more. And not only is data increasingly being used on the battlefield, but operations targeting adversaries’ data—to acquire it, delete and destroy it, or distort or poison it—are becoming increasingly important as well. Beyond the battlefield, big data lies at the epicenter of adversarial activities below the armed conflict threshold. Because data is the fuel of artificial intelligence (AI), it is generating an AI arms race among the U.S., China, Russia, and other states, incentivizing large-scale cyber operations related to data. And big data is increasingly central to humanitarian operations on, and adjacent to, the battlefield, for example to monitor humanitarian crises, facilitate early warning systems, and deliver aid, as well as to investigate and prosecute atrocities.

All of these uses of data in military operations raise challenging interpretive questions under key bodies of international law: international humanitarian law (IHL), the jus ad bellum and international human rights law (IHRL). But they also challenge us to consider anew various long-standing critiques of legalism in the international sphere more generally: what we might call the efficacy critique—are these laws effective at all in constraining state and non-state actors?—what we might call the legitimation critique—do laws of war actually sanitize, and thereby legitimate, acts of aggression?—and the critique that law is simply ineffective in adapting to rapid technological or societal change.

This Article uses the rise of big data on the battlefield first to respond to these critiques and defend the importance of legalism when addressing armed conflict, and second to consider the multiple interpretive challenges and gaps in the law that are created by the new techno-social reality of big data on the battlefield. As in other instances of disruptive technological and societal change, the laws of armed conflict must be both justified anew and then adjusted, either through textual gap-filling, interpretive translation, policymaking, or the construction of new legal paradigms.

TABLE OF CONTENTS

I. Introduction

Military operations on and adjacent to the battlefield are increasingly relying on so-called “big data.” For the purposes of this essay, I am using the term “big data” to refer to extremely large quantities of data, as well as the analytics and systems used to process it.1 Armed forces are using such data to operate weapons systems, analyze intelligence, conduct procurement and deployment of personnel, evaluate battlefield conditions, conduct detention operations, and more.2 And not only is big data increasingly being used on the battlefield, but operations targeting adversaries’ data—for example, to acquire it, delete and destroy it, or distort and poison it—are also becoming increasingly important.3 Thus, big data is now central to a growing array of operations between and among adversaries, even though these operations generally do not involve what would traditionally be called armed conflict. Finally, big data is now playing a significant role in battlefield humanitarian operations, as well as in efforts to investigate war crimes and other atrocities.4  

All of these operations present challenging questions under three bodies of international law that potentially govern: international humanitarian law (IHL), the jus ad bellum, and international human rights law (IHRL). This Article surveys many of these legal questions and also aims to situate them amid broader theoretical concerns about the efficacy of international law and longstanding critiques of “legalism” in the international sphere, as well as concerns about international law’s response to technological and societal change. Here, the question becomes: When new technology puts pressure on existing legal doctrines, are entirely new paradigms (and treaties) needed? Or can the “gaps” be filled either through reinterpretation of existing legal doctrine or through “soft law” or policy approaches? Not surprisingly, there is a growing literature on the challenges of regulating AI and cyber operations in the international sphere.5 But to date, there has been relatively little focus on the variety of issues that relate to big data specifically.6  

This Article proceeds in four parts. First, I provide a brief overview of the ways in which big data is playing a growing role on and adjacent to the battlefield. Second, I identify some of the specific, challenging legal questions that operations related to big data raise under three existing bodies of international law: IHL, the jus ad bellum, and IHRL. Third, I identify how these various interpretive legal questions related to the use of big data also implicate broader scholarly critiques about the efficacy of international law and legalism, as well as debates about whether existing international law doctrines can be stretched to cope with technological and social change or whether entirely new paradigms are needed. Finally, I suggest that current international law regimes, along with accompanying soft law and policy-based mechanisms, can help address the rise of big data, even in the absence of entirely new treaties or legal instruments. 

II. Big Data in and Adjacent to Armed Conflict

Big data is becoming increasingly central to military operations in and adjacent to armed conflict. Armed forces and other governmental actors are using big data for targeting and other operations on the battlefield, as well as for adversarial operations below the armed conflict threshold. Such data has also become a significant component of battlefield humanitarian operations and efforts to investigate and prosecute atrocities.

A. Big Data on the Battlefield

On the battlefield, big data has permeated almost every aspect of military operations. Many weapons systems rely on big data to operate.7 Armed forces also depend on big data to analyze intelligence in order to identify and assess targets or to evaluate battlefield conditions.8 Data has become essential to procurement and logistics operations.9 And militaries are using big data in their detention operations, for example to aid in determining who should be detained.10

Not only is data increasingly being used within armed conflict, but operations targeting adversaries’ data are also becoming more and more important.11 Armed forces might seek to acquire data from adversaries as part of battlefield operations. Such data could include, for example, visual images of sites and targets, or the collection of data from computers and other devices. When conducting detention operations, armed forces and other actors are increasingly gathering vast troves of biometric data from detainees.12 And far from the battlefield, militaries and other governmental actors seek to collect data, including information about adversaries’ armed forces or governmental systems, as well as corporate, financial, or personal data that could be useful in the conduct of military operations.13 All of this data is being stored in data centers around the world, where civilian and military data are often co-mingled.14

 In addition to acquiring and retaining data, armed forces are also seeking to delete and destroy data, or to poison it.15 Efforts to delete data essential to the operation of military or governmental systems, either temporarily or for a longer term, often accompany more conventional military operations.16 Militaries may seek to delete or destroy data in the corporate or private sphere as well, in an effort to destabilize domestic tranquility in adversary countries. Finally, efforts to poison data that adversaries rely upon, whether in weapons systems, logistics, or intelligence, are becoming increasingly important.17  

Some potential wartime uses of big data may sound like the stuff of science fiction, but they are in fact here or just over the horizon, such as targeting systems that could deploy AI-enabled facial recognition technology on a vast scale.18 For example, in the armed conflict in Gaza, Israel reportedly used big data-fueled AI to generate targets at such a rapid pace that, according to some experts and critics, it overwhelmed the Israeli military’s capacity to evaluate the legality of its targets, thereby fundamentally changing the nature of warfare.19 Further on the horizon—but  perhaps not as distant as it may seem—brain-computer interfaces would allow computer systems to download and upload large quantities of data directly to and from the brains of armed forces in the field.20

Although the uses of big data and the harms of data acquisition or deletion may at times seem abstract or less severe than the more palpable and visible harms and costs of warfare, operations involving data do have chilling and severe consequences. It’s important to recognize that data is now inextricably bound up in targeting operations, including the use of lethal force and detention. In one example, when the United States withdrew its armed forces from Afghanistan in 2021 in a rushed operation, troves of biometric data were unintentionally left behind.21 The Taliban government has now reportedly used that data to find, detain, abuse, and summarily execute individuals who worked with the former government of Afghanistan, the United States, and allies.22

B. Big Data and Adversarial Operations below the Armed Conflict Threshold

Beyond the battlefield, big data lies at the epicenter of adversarial activities below the armed conflict threshold. Indeed, data is generating an “AI arms race” among the U.S., China, Russia, and other states because data is the “fuel” of AI.23 As a result, there are enormous incentives for states to conduct cyber and other operations related to data. Data acquisition and retention, in particular for use in AI systems—and thwarting adversarial acquisition and use of such data—may be one of the most important national security goals of the 21st century.24 In addition, governments may attempt to conduct operations to disable, delete, or poison such data. And governments may also conduct data operations to bring down financial systems, such as stock markets or banking operations, or to disrupt infrastructure systems such as dams, energy grids, or GPS-based applications.

C. Big Data in Humanitarian Operations and Atrocity Investigations

Finally, big data is increasingly used in humanitarian operations on, and adjacent to, the battlefield. For example, governments, intergovernmental organizations (IOs), and non-governmental organizations (NGOs) are using big data to monitor humanitarian crises, facilitate early warning systems, and deliver aid.25 They are also relying on big data to investigate and prosecute atrocities.26 Such data includes “data exhaust” (e.g., cell phone records and the records of smart devices), online activity (e.g., social media), sensing technologies (e.g., satellite data), and crowdsourced information.”27 This data can be used, for example, to pinpoint locations of atrocities or search for images of perpetrators and their acts.28 In addition, such data can help provide evidence concerning how widespread certain acts were, which is necessary to prove some forms of atrocities, such as crimes against humanity.29

III. How the Rise of Big Data Challenges Traditional International Law Doctrines 

All of these uses of big data on and adjacent to the battlefield raise challenging interpretive questions under three bodies of international law: IHL, the jus ad bellum, and IHRL. These existing rules do not mention data and were not designed to address the myriad issues that arise when militaries or governmental actors either use or target data. This Section charts some of the biggest gaps and interpretive questions that arise.

A. Big Data and International Humanitarian Law

1. Targeting data

Within armed conflict, one of the thorniest legal questions related to operations targeting data is the question of whether core IHL targeting principles and rules that govern “attacks” would apply, and if so, how they apply. These core principles include (1) distinction, instantiated in rules prohibiting attacks on civilians and civilian objects;30 (2) proportionality, reflected in the rule that the expected military advantage of any attack must outweigh any harm to civilians and civilian objects;31 and (3) feasible precautions, the requirement that armed forces must take steps, if possible, to warn civilians or otherwise minimize civilian harm.32

But how do these three principles apply to attacks on data? Assume, for example, that Russia wants to destroy Ukrainian military data in a data center in order to thwart the operation of Ukrainian weapons systems that rely on that data. Assume too that the data is commingled with civilian data. Or, suppose Russia seeks to destroy data in critical infrastructure, such as a power grid. Alternatively, suppose Russia seeks to deliberately destroy Ukrainian civilian data, such as financial data or healthcare data.

Are these to be considered attacks under IHL, such that the IHL principles and rules governing attacks apply to all of them? Additional Protocol I to the 1949 Geneva Conventions defines attacks as “acts of violence against the adversary, whether in offence or defence.”33 The question of whether operations against data constitute such “attacks” is therefore particularly challenging when the operations do not have any discernable, immediate kinetic effects. When operations against data do produce kinetic effects analogous to conventional military operations, many states and experts would agree that the operation is an attack and that the IHL rules pertaining to attacks would apply.34 Thus, in the example above, the Russian operation to destroy data in a power grid, if it in fact shut down the grid, would likely constitute an attack if it caused people to be harmed or die, for example if hospitals lost their power. But consider an operation to delete civilian financial and health data. In that case, the operation does not physically harm anyone, and (depending on how the operation is conducted) no objects are destroyed or damaged. In that example, some states and experts would take the position that the operation is not an attack and therefore the rules against attacks simply would not apply.35  

Other states and commentators, however, would argue that some operations against data can constitute attacks even if there is no clear kinetic effect.36 The examples above might qualify. So, then the question becomes, how do the rules apply in these circumstances? Is data itself an object? When is data civilian, and when is it military in character? How should data poisoning operations be analyzed?

If the IHL targeting rules don’t apply to some operations involving data, what then? Does some other body of law, such as IHRL, potentially fill the gaps? Many states take the view that although IHL governs armed conflicts, IHRL remains applicable.37 If so, and IHL doesn’t apply because an operation is not an “attack,” would IHRL background rules apply? Or, if not, are operations against data within armed conflict essentially in a law-free zone so long as there are no kinetic effects? And, if that’s the case, is that normatively desirable, or do we need to craft new law to address the gap? Or is the best solution to rely on proposed statements of good practice or policy? 

2. Atrocity investigation and other humanitarian operations

Another set of questions under IHL involves the role of big data in efforts to investigate and prosecute war crimes and other atrocities, or to conduct humanitarian operations. To some extent, all of this data makes atrocity investigation easier.38 However, the vast quantities of data can also create a data “glut,” requiring investigators to sift through and verify large amounts of data to determine if it is useful or accurate.39 Is there a data verification rule that can be teased out of IHL’s obligation to investigate and prosecute war crimes? If so, does it permit AI to evaluate and assess data? Or is this a gap that IHL doesn’t cover?

Adding more complexity, private parties own much of the data relevant to atrocity investigation or humanitarian relief efforts.40 IHL applies to all actors within armed conflict, but does the obligation to investigate war crimes41 and other atrocities extend to non-state actors? And do private corporations holding relevant data have obligations under IHL with respect to humanitarian relief efforts?

It should also be noted that there are some contexts in which there is a notable absence of data, such as the places where sexual violence is committed.42 Rapes and other war crimes may occur in locations hidden from view, out of reach of satellites or cameras, and without leaving a trace within data exhaust. Does the growing reliance on data de-prioritize the investigation and prosecution of these crimes, effectively erasing them even further from notice and accountability?43

3. Data privacy and data bias 

Operations involving data in armed conflict also implicate norms that aren’t readily assimilated into IHL. For example, the collection of large data sets for use in weapons systems and data analytics on the battlefield raises significant privacy questions related to data acquisition and retention,44 as well as questions about bias and discrimination on the basis of race and other characteristics.45 Thus, if militaries use big data to conduct facial recognition targeting, and there is racial bias in acquisition or use of the data, does IHL address that issue? In addition, does IHL require consideration of data privacy? Many states and commentators say no.46 But some argue that IHL encompasses these norms, at least to some degree. For example, Asaf Lubin has contended that the IHL duty of constant care, under the customary principle of precautions in attack, includes a data protection rule that encompasses legality, transparency, and data integrity.47  

B. Big Data and the Jus ad Bellum

The acquisition, use, and targeting of big data below the armed conflict threshold also raise complex questions about how the jus ad bellum and related rules apply to adversarial operations involving big data.  Such operations raise a series of questions. When do these sorts of operations constitute an armed attack, thereby triggering the right to self-defense? When might constitute a prohibited threat or use of force? Do they constitute a prohibited intervention into the affairs of a state below the use-of-force threshold or otherwise interfere with state sovereignty? Or, conversely, do they fall into the generally acceptable domain of cyber espionage or propaganda?

As in the IHL context, the biggest challenge and area of debate arises when the operations have no discernable, immediate kinetic effects. In such contexts, operations involving data, whether through cyber or other means, cannot easily be analogized to more traditional or conventional operations. Certainly, the deletion of large quantities of financial data that might impede the functioning of a stock market, or simply the acquisition of such data, may have enormous consequences. But because that sort of attack does not clearly fit into existing categories, such as a use of force or armed attack, or even an interference with state sovereignty, there is robust debate about whether the jus ad bellum and related rules would govern such operations at all.48

C. Big Data and International Human Rights Law 

Finally, the role of big data on and adjacent to the battlefield raises tough questions for the application of IHRL. Unlike IHL, there is no question that IHRL protects privacy rights49 and prohibits discrimination.50 However, operations that use and target data on or near the battlefield present challenges involving the proper intersection of IHRL and IHL within armed conflict. As noted above, many states maintain that IHRL remains applicable in the background, even if it is sometimes displaced by IHL.51 If so, should IHRL principles and values—such as protections against bias or invasions of privacy—sometimes influence the application of IHL principles, such as civilian harm?

In contrast, other states, such as the U.S., take the position that IHL largely displaces IHRL in armed conflict.52 But if IHL is silent, for the reasons discussed above, what then? Do IHRL rules fill the gaps, perhaps imposing protections for data privacy and non-discrimination? Or might IHRL principles apply as a matter of good state practice, soft law, or policy? Or are these IHRL norms and values simply excluded from operations using and targeting data in armed conflict?

There are also difficult questions about the applicability of IHRL to extraterritorial actions, actions that states take outside their borders. Thus, for example, IHRL would clearly govern big data acquisition and other efforts a state might take within its own borders. But to what extent do IHRL rules, such as privacy rights and bias prohibitions, govern data operations that are extraterritorial—for example, if a country gathers, stores, or destroys data outside its borders?

A final challenging issue involves the role of non-state actors in all of these operations. IHL applies to states and non-state actors alike within armed conflict. But IHRL and the jus ad bellum have what we might call “state action” components: the law imposes obligations only on states. So, we must ask, when can actions by non-state actors, such as hackers, terrorists or private contractors, be attributed to a state, thereby making states responsible for their actions?

IV. Big Data and Critiques of International Law

As outlined above, many uses of big data raise significant legal ambiguities and interpretive questions. Such problems of legal interpretation and application are perhaps inevitable in times of technological change. As Gary Marchant has discussed extensively,53 law is often exponentially slow in catching up with new technology, and that’s certainly the case here. But in the context of international law in particular, these interpretive questions implicate broader critiques that need to be addressed anew as we consider international law’s response to the rise of big data. Here, I identify and respond to three such critiques: what might be called (1) the “efficacy critique,” (2) the “legitimation critique,” and (3) the “critique of legalism under conditions of technological and social change.”

A. The Efficacy Critique

Whenever one addresses the scope of international law rules, or interpretive questions related to such rules, skeptics challenge whether these legal rules matter at all, given that international law contains limited enforcement mechanisms and is therefore always imperfectly enforced. From this perspective, it is perhaps pointless to spend time addressing gaps in international legal regimes as they apply to operations involving big data. After all, if states do not obey international law anyway, why bother working through all the ambiguities? We might call this the “efficacy critique” or the “compliance critique.”

From the right, international relations realists and rational choice scholars often claim that states only obey international law when it serves their interests.54 On this view, international law has no efficacy independent of such interests. It is mere window dressing. Meanwhile, on the left, many socio-legal scholars are similarly skeptical of legal doctrine’s ability to constrain behavior independent of mechanisms of enforcement and coercive power.55

Although there is certainly some truth to these critiques, I think they are overstated. When we speak of state interests, it is important to remember that states are not monolithic. Many constituencies and power centers operate both within government and outside of it. And these constituencies can use international law to gain leverage and make arguments that otherwise might not have been available. For example, internally within the U.S. executive branch and that of other states, governmental officials—including those in the armed forces—interpret, apply, and follow international law. IHL constrains which targets are selected, how detainees are treated, and so on. To be sure, there are often robust debates about the interpretation of the law. And representatives from NGOs, IOs, or other states may disagree intensely about how various actors are interpreting and applying the law. But at a minimum, international law helps shape state interests and plays a role in guiding and constraining them.56

In addition, compliance with legal norms in general, international or domestic, does not depend only on coercive force. As socio-legal scholar Robert W. Gordon wrote decades ago, “the power exerted by a legal regime consists less in the force that it can bring to bear against violators of its rules than in its capacity to persuade people that the world described in its images and categories is the only attainable world in which a sane person would want to live.”57 From this perspective, state officials and individuals throughout society follow law because they have imbibed its norms into consciousness as simply the way things are and should be. Over time, legal obedience becomes reflexive, and institutions and habits grow a kind of path dependency that reinforces law’s efficacy independent of coercive force. Indeed, it’s worth recognizing that no law is perfectly enforced, domestic or international, but that doesn’t mean the law doesn’t have real impact.

So, all of this is to say that international law norms actually matter and actually affect behavior on the ground. To be sure, they do not always do so, and they may not do so perfectly. But the impact is real, and so the question of how these rules apply to new contexts, such as big data, remains an important one with significant practical consequences.

B. The Legitimation Critique

Another critique of legalism in the international sphere, particularly as applied to IHL, might be called the “legitimation critique.” This view is associated with scholars such as Samuel Moyn, who contend that, by making warfare more humane, IHL may make wars more likely to be waged because the existence of the international legal regime sanitizes war and makes it more palatable.58 From this perspective, detailed IHL rules often legitimize, and thus perpetuate, war. Therefore, one might think that any effort to identify gaps in IHL or other bodies of international law and seek to fill them is potentially quite harmful—such an enterprise could actually further legitimate warfare.

The problem with this critique, however, is that there isn’t really strong evidence of a causal link between the development of IHL and the propensity to wage war. Because wars are fought for a wide variety of reasons, it seems implausible to assert that the development of IHL itself truly has had a significant impact on the decision to wage war. And if wars are likely to break out regardless of the existence of IHL, it seems worthwhile to try to apply some set of humanitarian principles to minimize civilian casualties or the use of torture.

To be sure, one might be concerned that new technologies of warfare (such as the use of unmanned aerial vehicles, also referred to as drones), or operations against big data, make wars more likely because they allow states to wage war at a distance, without as many casualties. That is a different argument, however. And it does have some validity, particularly in situations where there is an asymmetry in technological power, and one side can wage war without suffering. But as we have seen in Ukraine, if both sides are using drones and other new technology assiduously, both sides suffer casualties related to the use of these new technologies. Therefore, it is not clear that over time the existence of such technologies will result in an increased number of wars being waged.

C. The Critique of Legalism under Conditions of Technological and Societal Change

Finally, operations involving big data on or adjacent to the battlefield implicate what might be called a critique of legalism under conditions of technological and societal change. Indeed, such operations raise the same sorts of big-picture questions that changes in technology or other social changes have often presented for international law. Prior examples include the rise of transnational terrorism, the increasing role of private corporate actors in military operations, urbanization, or the emergence of cyber-operations or AI in weapons systems.59 Each of these changes requires analysis of whether the fundamental nature of armed conflict has changed so significantly that entirely new paradigms or treaty regimes are necessary, because existing legal frameworks are ill-designed and structurally inadequate to address or regulate the changed landscape of warfare. Alternatively, gap-filling or translation exercises could adapt or stretch existing law to address the new reality.

In the context of international law, this debate between the need for new paradigms and the possibility of translating existing principles has important pragmatic and substantive components. As a practical matter, if existing law is deemed structurally inadequate and obsolete, then we may be left with no applicable international law, given that the current geo-political climate renders it nearly impossible to develop new law, particularly multilateral treaty law.60

More substantively, while it is certainly true that the international legal rules governing armed conflict (and related bodies of international law) were not crafted to deal with big data, that in and of itself does not render those rules completely obsolete. To the contrary, the fundamental principles in these bodies of law, such as the protection of civilians and civilian objects—as well as the balancing of these protections against the imperative of military necessity—are capacious ones. Just as these principles have proven resilient in their application to transnational terrorism, privatization, urbanization, and other new military technologies,61 I would contend that they can, in most instances, also be interpreted so that they can meaningfully apply to a wide range of operations involving big data.

V. Applying Existing International Law Principles to the Rise of Big Data

As discussed above, the growing use of big data on or adjacent to the battlefield poses many interpretive or “translation questions” regarding IHL and other related bodies of international law. These sorts of translation questions often arise when new battlefield technologies—such as cyber or AI—emerge, or when new social contexts—such as transnational terrorism or increasing privatization—challenge existing legal paradigms. In the case of big data, one of the biggest questions to resolve is how IHL norms and principles might translate to operations that have no real kinetic effects analogous to more traditional armed attacks.

In these times of technological change, we see a debate between those who think existing law is up to the task and therefore focus on translating the principles embedded in existing law to new contexts, and those who insist that the gaps are just too enormous for the translation enterprise to succeed and instead propose new legal regimes. Finally, there is a third group that acknowledges the gaps in international law as applied to big data but doesn’t necessarily see the absence of legal rules in this domain as a problem.

For the translators, the work is to see how the principles translate, though there might be divergence among them as to the way in which the specific rules apply. For example, as noted above, although the term “attacks” in Additional Protocol I does not explicitly refer to operations against data, the treaty text does refer generally to “acts of violence against the adversary, whether in offence or defence.”62 Based on this language, some argue that any operation that is roughly equivalent to a conventional military attack should qualify as an armed attack under IHL. Australia, for example, has stated that “a cyber activity may constitute an ‘attack’ against an adversary under IHL if it rises to the same threshold as a kinetic ‘attack,’” an approach that could apply to cyber operations against data.63 France has taken an even more encompassing approach to IHL in this context, making the argument that whether a cyber-operation (presumably including operations against data) is an attack “does not depend on material considerations.”64 There is also the related question of whether data alone counts as an object of attack, thereby making it subject to legal regulation, with some states and experts concluding that it does not count as an object, and others, such as France, concluding that it does.65 Finally, even for states that believe operations against data are “attacks” and that data is an object, there is the downstream question of how to determine whether data is “civilian” for the purposes of applying rules such as proportionality.

In addition to nation-states, a number of prominent scholars have made important arguments for translation as well. François Delerue, for example, has recently provided an account of how states should make such determinations about the application of international law rules to big data stored around the world, particularly when civilian and military data are commingled.66 Meanwhile, Asaf Lubin has argued that IHL’s duty of constant care should govern many military operations involving data, and he therefore provides a set of principles that should be applied to data acquisition, retention, and destruction.67 And Ido Kilovaty has contended, within the jus ad bellum, that we should not base the determination of whether operations against data constitute a use of force or an armed attack solely on analogies to kinetic effects, but also on how much data is affected by an operation.68

In contrast, for those who think that legal principles and rules do not sufficiently translate to the new context, the rise of big data creates an essentially unregulated space. The question then is whether that gap should be filled somehow with new law, with soft law or policy, or whether the unregulated space should be left as it is. Accordingly, some scholars and experts call for new treaties or expanded conceptions of customary international law in order to address the problem.69 For example, Finnuala Ní Aoláin, the former U.N. Special Rapporteur for Counterterrorism, has highlighted broad gaps and structural problems in the capacity of both IHL and IHRL to address widespread collection, misuse and destruction of data, in what she calls the “datafication” of counterterrorism.70 She suggests that a new legal paradigm may be needed.71

Others call for gap-filling through policy or soft law. Mike Schmitt, for example, has taken the position that many operations against data should not be deemed “attacks” and that data is not an object within IHL, but has nevertheless contended that states should regulate such operations through policies, rather than law.72 And Galit Sarfaty has highlighted both the problem that IHRL does not directly bind non-state actors holding data relevant to humanitarian operations and that IHL may not impose clear duties upon those non-state actors to release such data when relevant to activities in conflict zones.73 Sarfaty responds to these gaps by calling for corporate codes of conduct and a soft law regime in this domain.74

Finally, some states and experts seem to take the position that the lack of international law regulation concerning certain activities involving data might not be a problem at all. For example, Israel and the U.S. have adopted relatively narrow views regarding the conditions under which operations against data might constitute an “attack” within IHL, and they have chosen not to advance policies or other measures to address the regulatory gap.75 Eric Jensen and Gary Corn have argued that significant operations related to data outside armed conflict—activity they dub “cybotage”—falls below all relevant thresholds under the jus ad bellum and related legal doctrines.76 Although they do not necessarily advocate the practice of cybotage, they nonetheless suggest that such operations may be important for the U.S. to counter China and other adversaries.77

V. Conclusion

In my own view, this is not a fruitful moment for developing new, broad multilateral treaties to address military operations involving data because such efforts are likely to fail, leaving international law more weakened than before. Furthermore, existing treaties, through their broad purposes and principles, can and have been read capaciously to apply to new challenges, such as privatization, transnational counterterrorism, and urbanization.78 Therefore, I think that in many instances these principles can be plausibly read to cover issues that arise related to operations against data. And where translation of existing legal regimes is too much of a stretch, policies and soft law initiatives can fill many gaps. Again, this approach has been shown to be effective in other domains.79 Finally, if we were to acquiesce to the idea that attacks on data constitute a law-free zone, we risk legitimating actions that can cause significant data-based harm to civilians and others. Indeed, part of the impact of international law is that simply the act of de-legitimating actors who perpetrate harms—whether through translation, soft law, or policy—can itself be a tool to constrain states that do not follow the rules.

When it comes to big data, the existing international law regimes of IHL, the jus ad bellum, and IHRL are perhaps outdated, perhaps difficult to apply to new contexts, and perhaps imperfectly enforced. But that has almost always been true. Despite such flaws, these regimes remain our best hope for adherence to principles that affirm human values even in wartime. And so, it is worth the Herculean effort to hold to these principles and at least try to translate them to new contexts, while empowering state and non-state actors to argue for their creative application to the new world of data warfare that is rapidly emerging.

  • 1Paul Symon & Arzan Tarapore, Defense Intelligence Analysis in the Age of Big Data, 79 Joint Force Q. 5 (2015).
  • 2For further discussion of these developments, see generally Big Data and Armed Conflict: Legal Issues Above and Below the Armed Conflict Threshold (Laura A. Dickinson & Edward W. Berg eds. 2024) (hereinafter Big Data and Armed Conflict).
  • 3For further discussion of these developments, see generally id.
  • 4For further discussion of these developments, see generally id.
  • 5See, e.g., Ashley Deeks, The Double Black Box: National Security, Artificial Intelligence, and the Struggle for Democratic Accountability (2024); Rebecca Crootof, Margot Kaminski, & Nicholson Price, Humans in the Loop, 76 Vand. L. Rev. 429 (2023); Ken Anderson & Matthew Waxman, Debating Autonomous Weapon Systems, Their Ethics, and Their Regulation Under International Law, inThe Oxford Handbook of Law, Regulation, and Technology (2017).
  • 6An important exception is The Rights to Privacy and Data Protection in Times of Armed Conflict (Russell Buchan & Asaf Lubin eds. 2022); see also Big Data and Armed Conflict, supra note 2.
  • 7See Laura A. Dickinson, Translation or Disruption?, International Law, Military Operations, and the Challenges of Big Data, in Big Data and Armed Conflict, supra note 2, at 1, 2.
  • 8See Asaf Lubin, The Duty of Constant Care and Data Protection in War, in Big Data and Armed Conflict, supra note 2, at 229; Ashley S. Deeks, Predicting Enemies, 104 Virginia L. Rev. 1529, 1531 (2018).
  • 9See Lubin, supra note 8.
  • 10See Fionuala Ní Aoláin, The Datafication of Counterterrorism, in Big Data and Armed Conflict, supra note 2, at 319, 335–38.
  • 11See Gary P. Corn & Eric Talbot Jensen, “Attacking” Big Data: Strategic Competition, the Race for AI, and the International Law of Cyber Sabotage, in Big Data and Armed Conflict, supra note Error! Bookmark not defined., at 91, 93–94.
  • 12See Aoláin, supra note 10.
  • 13See Corn & Jensen, supra note 11.
  • 14See François Delerue, Data Centers and International Humanitarian Law, in Big Data and Armed Conflict, supra note 2., at 207.
  • 15Mark A. Visger, Garbage In, Garbage Out: Data Poisoning Attacks and their Legal Implications, in Big Data and Armed Conflict, supra note 2, at 179.
  • 16See id.
  • 17See id.
  • 18See Stop Autonomous Weapons, Slaughterbots, YouTube (Nov. 12, 2017), https://perma.cc/3LYY-QRSN.
  • 19See Omar Yousef Shahabi & Asaf Lubin, Israel – Hamas 2024 Symposium - Algorithms of War: Military AI and the War in Gaza,Articles of War (Jan. 24, 2024), https://perma.cc/68ZM-NNUT.
  • 20See Noam Lubell & Katya Al-Khateeb, Cyborg Soldiers: Military Use of Brain-Computer Interfaces and the Law of Armed Conflict, in Big Data and Armed Conflict, supra note 2, at 249.
  • 21See, e.g., New Evidence that Biometric Data Systems Imperil Afghans: Taliban Now Control Systems with Sensitive Personal Information, Human Rights Watch (March 30, 2022), https://perma.cc/MU5N-QNN7. This is a point that Asaf Lubin often makes in discussing his work on regulating the uses of data.
  • 22Id.
  • 23See Corn & Jensen, supra note 11.
  • 24See, e.g., Maddie Gannon, National security adviser says AI is ‘single most dramatic development’ in a long time in exit interview, Spectrum News (Jan. 13, 2025), https://perma.cc/JBA9-3SL5.
  • 25See Galit A. Sarfaty, Corporate Data Responsibility, in Big Data and Armed Conflict, supra note 2, at 275.
  • 26See id.
  • 27See id.
  • 28See Beth Van Schaack, Leveraging Big Data for LOAC Enforcement: Finding the Needle in a Stack of Needles, in Big Data and Armed Conflict, supra note 2, at 291.
  • 29See id.
  • 30Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts, arts. 51(2), 52(1), June 8, 1977, 1125 U.N.T.S. 3 [hereinafter Protocol I].
  • 31Additional Protocol I, supra note 30, arts. 51(5)(b), 57(2)(a)(iii).
  • 32Additional Protocol I, supra note 30, art. 57(2). For a useful analysis of these principles as applied to attacks on data, see Michael N. Schmitt, Big Data:International Law Issues During Armed Conflict, in Big Data and Armed Conflict, supra note 2., at 151.
  • 33Additional Protocol I, supra note 30, art. 49.
  • 34See Schmitt, supra note 32.
  • 35The example involving the destruction of military data necessary to the operation of Ukrainian weapons is also a hard case. If the operation actually disables the weapons, then some states and experts who view kinetic effects as a prerequisite for an attack may view this as a kinetic effect. But if they interpret kinetic effect as requiring some sort of physical harm to persons or objects of attack, they may view even this sort of operation as falling outside the definition of an “attack.”
  • 36See Schmitt supra note 32.
  • 37See Marco Sassoli & Laura M. Olson, The Relationship Between Human Rights and Humanitarian Law Where It Matters: Admissible Killing and Internment of Fighters in Non-International Armed Conflicts, 90 Int’l Rev. Red Cross 599, 603 (2008); see also Michael N. Schmitt, Big Data: International Law Issues Below the Armed Conflict Threshold, in Big Data and Armed Conflict, supra note 2, at 29.
  • 38See Van Schaack, supra note 28.
  • 39See id.
  • 40See Sarfaty, supra note 25.
  • 41Convention (IV) Relative to the Protection of Civilian Persons in Time of War, art. 146, Aug. 12, 1949, 6 U.S.T. 3516.
  • 42See Van Schaack, supra note 28.
  • 43See id.
  • 44See Lubin, supra note 8.
  • 45See, e.g., Shiri Krebs, Above the law: Drones, aerial vision and the law of armed conflict—a socio-technical approach, 105 Int’l Rev. Red Cross 1690 (2023).
  • 46See Dickinson, supra note 7.
  • 47See Lubin, supra note 8.
  • 48See Corn & Jensen, supra note 11.
  • 49See, e.g., International Covenant on Civil and Political Rights art. 17, Dec. 19, 1966, 999 U.N.T.S. 171 [hereinafter ICCPR].
  • 50See, e.g., id. at art. 2.
  • 51See Schmitt, supra note 32.
  • 52See id.; see also Operational Law Handbook 40 (Marie Anderson & Emily Zukauskas eds., 2008).
  • 53See, e.g., Gary E. Marchant, The Growing Gap Between Emerging Technologies and the Law, in The Growing Gap Between Emerging Technologies and Legal-Ethical Oversight: The Pacing Problem 19 (Gary E. Marchant et al. eds., 2011).
  • 54See, e.g., Kenneth N. Waltz, Theory of International Politics (1979); Hans J. Morgenthau, Politics Among Nations: The Struggle for Power and Peace 5 (5th ed., 1973).
  • 55See, e.g., David M. Kennedy, The Dark Sides of Virtue: Reassessing International Humanitarianism (2005).
  • 56See, e.g., Martha Finnemore, National Interests in International Society (1996); Ryan Goodman & Derek Jinks, Socializing States: Promoting Human Rights through International Law (2013).
  • 57Robert W. Gordon, Critical Legal Histories, in Taming the Past: Essays on Law in History and History in Law 220, 267 (2017).
  • 58See generally Samuel Moyn, Humane: How the United States Abandoned Peace and Reinvented War (2021).
  • 59See Laura A. Dickinson, The Jus in Bello Under Strain: Diluted but not Disintegrating, inIs the International Legal Order Unraveling? 184 (David Sloss ed., 2022).
  • 60See, e.g., Jack L. Goldsmith, Curtis Bradley, and Oona Hathaway, The Failed Transparency Regime for Executive Agreements: An Empirical and Normative Analysis, 134 Harv. L. Rev. 629, 629–30 (2020).
  • 61For further discussion of this point, see Dickinson, supra note 59, at 184.
  • 62Additional Protocol I, supra note 30, art. 49.
  • 63See Schmitt, supra note 32.
  • 64See id.
  • 65See id.
  • 66See Delerue, supra note 14.
  • 67See Lubin, supra note 8.
  • 68See Ido Kilovaty, Attacking Big Data as a Use of Force, in Big Data and Armed Conflict, in Big Data and Armed Conflict, supra note 2, at 135.
  • 69See, e.g., White Paper on the Need to Strengthen International Humanitarian Law to Address the Challenges of 21st Century Warfare, 57 J. Intl. L. Symp. (forthcoming 2025), https://perma.cc/S4BL-BC7Z.
  • 70See Aoláin, supra note 10.
  • 71See id.
  • 72See Schmitt, supra note 32.
  • 73See Sarfaty, supra note 25.
  • 74See id.
  • 75See Schmitt, supra note Error! Bookmark not defined..
  • 76See Corn & Jensen, supra note 11.
  • 77See id.
  • 78See Dickinson, supra note 59.
  • 79For an example of such an approach in the context of private military and security contractors, see Laura A. Dickinson, Regulating the Privatized Security Industry: The Promise of Public/Private Governance, 63 Emory L.J. 417 (2013).
    Law of War and Armed Conflict Public International Law